CNIL Cracks Down on Employee Video Monitoring and Password Strength


In a recent decision (deliberation CNIL May 30, 2013 n°2013-139), the French Data Protection Agency (CNIL) sanctioned a company for implementing a CCTV system without informing employees and because the CCTV enabled the constant monitoring of one employee making the recording disproportionate to the goal pursued. The CNIL also sanctioned the company because it failed to implement an adequate level of security of the data housed on its systems.

The agents of the CNIL noticed during an on-site inspection that passwords used within the company to log into its systems, and therefore to access personal data stored within those systems, were simple to crack. Indeed, most of them were only 5 characters and some of them were only the surname or name of the employees and had not been changed since 2011.

The CNIL therefore required that the company implement a data security policy. 

After another on-site inspection, the agents of the CNIL noticed that, despite its commitments, the company had not implemented such a policy.

The CNIL concluded that the company did not provide for an adequate level of protection of data given that the passwords were short, simple and not modified.

According to Article 34 of the French Data Protection Act of January 6th, 1978, the data controller shall take all useful precautions, with regard to the nature of the data and the risks of the processing, to preserve the security of the data and, in particular, prevent their alteration and damage, or access by non-authorized third parties.

In a previous post, we highlighted the recommendations enacted by the CNIL to help companies to strengthen the security of their data processing.

In light of the vulnerabilities noticed during the on-site inspections and the failure of the company to properly address them, the company was required by the CNIL to pay a €10,000 fine.

Companies located in France must therefore pay particular attention to their data security policies to make sure that they comply with French data protection law requirements.

Written by:

Published In:


DISCLAIMER: Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations.

© Proskauer - Privacy & Data Security | Attorney Advertising

Don't miss a thing! Build a custom news brief:

Read fresh new writing on compliance, cybersecurity, Dodd-Frank, whistleblowers, social media, hiring & firing, patent reform, the NLRB, Obamacare, the SEC…

…or whatever matters the most to you. Follow authors, firms, and topics on JD Supra.

Create your news brief now - it's free and easy »

All the intelligence you need, in one easy email:

Great! Your first step to building an email digest of JD Supra authors and topics. Log in with LinkedIn so we can start sending your digest...

Sign up for your custom alerts now, using LinkedIn ›

* With LinkedIn, you don't need to create a separate login to manage your free JD Supra account, and we can make suggestions based on your needs and interests. We will not post anything on LinkedIn in your name.